What to do if you’re infected with ransomware

So, your computer screen has been hijacked by criminals who are demanding money to return your systems. Now what?

This is a question that more people are having to ask themselves nowadays, with ransomware attacks reaching new heights in 2017. Ransom demands are designed to be threatening and scare you into paying the crooks as quickly as possible – and some ransomware, such as WannaCry, ratchet up the tension with a doomsday countdown. But it’s important not to panic.

By the time you’ve received the ransom, the worst of the damage has probably already happened. There are certain steps you can take to stop things from getting any worse and, eventually, get your business back up and running.

1. Disconnect infected devices from the network. This will stop the infection from spreading and give you time to plan your next moves.

2. Notify your employees of the attack. Without access to the network, most organisations will struggle to operate as normal. As such, many employees will have to work with pen and paper or else go home.

3. Photograph the ransom note and submit a police report. This might seem futile – the police will almost certainly be unable to recover your data, let alone catch the crooks – but evidence of the attack is necessary for filing an insurance claim.

4. Find out what kind of ransomware it is. Some kinds of ransomware have been cracked, with decryption tools available online, and others are fakes that don’t actually encrypt data at all. If you can work out which kind of ransomware it is, you can quickly clear up the infection and get back to work.

The ransom note might explicitly state what strain it is, but if it doesn’t, there are other clues that can help identify it. Try uploading the encryption file type, the way the ransom demand is phrased and URLs within it to ID Ransomware.

5. Remove the ransomware from your device. The safest way to do this is to restore your computers to factory settings. If the ransomware has stopped you from reaching recovery screens, you should use the installation disk or USB sticks on which your operating system is stored.

But be warned: this will mean you’ll lose all the data stored on the device, and there will be no point in paying the ransom. This is where having backups is extremely helpful – but even if you don’t, we strongly urge you not to pay the ransom. There’s no guarantee that the criminals will return your systems to normal, and you’ll be identified as a soft target for future attacks.

Preventing ransomware attacks

Obviously, organisations would like to not suffer a ransomware attack at all. Your best chance of doing this is to adopt an ISO 27001-compliant information security management system (ISMS). ISO 27001 is the international standard that describes best practice for an ISMS, which provides a system of processes, documents, technology and people to help organisations manage their information security practices.

Although there is no such thing as 100% secure, ISO 27001 can significantly reduce the likelihood of your organisation being hit by ransomware. And if you do fall victim, it can help reduce the damage.

We offer a variety of products and services to help you implement an ISO 27001-compliant ISMS, including a pocket guide, packaged solutions and training courses.

Find the right ISO 27001 solution for you >>